diff --git a/roles/mail_server/handlers/main.yml b/roles/mail_server/handlers/main.yml index e58a195d9ed3f5d6a14ddabdf70419b13df59af5..139af3eaf1ad8125777298081ea6d84c3025474b 100644 --- a/roles/mail_server/handlers/main.yml +++ b/roles/mail_server/handlers/main.yml @@ -7,4 +7,7 @@ service: name="postfix" state=restarted - name: Restart Dovecot - service: name="dovecot" state=restarted \ No newline at end of file + service: name="dovecot" state=restarted + +- name: Restart ClamAV Milter + service: name="clamav-milter" state=restarted diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml index f5a011fbd6c6b14179ef92b822c4a0e0b2f329a9..add7aea597245b1297ce054799dfaca1fbb8bec7 100644 --- a/roles/mail_server/tasks/main.yml +++ b/roles/mail_server/tasks/main.yml @@ -22,6 +22,44 @@ - name: Install SWAKS apt: name="swaks" state=installed +- name: Set ClamAV Milter socket path + debconf: name=clamav-milter question=clamav-milter/MilterSocket vtype=string value=/var/spool/postfix/var/run/clamav/clamav-milter.ctl + +- name: Have ClamAV Milter reject infected files + debconf: name=clamav-milter question=clamav-milter/OnInfected vtype=select value=Reject + +- name: Have ClamAV Milter log full information about infected mails + debconf: name=clamav-milter question=clamav-milter/LogInfected vtype=select value=Full + +- name: Set ClamAV Milter reject message + debconf: name=clamav-milter question=clamav-milter/RejectMsg vtype=string value="Your message has been rejected due to a possible virus (%v). Please contact the postmaster if you believe this is incorrect." + +- name: Do not limit log file size for ClamAV Milter + debconf: name=clamav-milter question=clamav-milter/LogFileMaxSize vtype=string value=0M + +- name: Allow members of Postfix group to access the ClamAV Milter socket file + debconf: name=clamav-milter question=clamav-milter/MilterSocketGroup vtype=string value=postfix + +- name: Restrict access to ClamAV Milter socket to socket owner and group. + debconf: name=clamav-milter question=clamav-milter/MilterSocketMode vtype=string value=660 + +- name: Install milter packages + apt: name=clamav-milter state=installed + +- name: Make sure that the ClamAV Milter socket file path is correct (workaround for Debian bug \#778445) + lineinfile: dest=/etc/clamav/clamav-milter.conf state=present backrefs=yes + line="MilterSocket /var/spool/postfix/var/run/clamav/clamav-milter.ctl" + regexp="^MilterSocket " + notify: + - Restart ClamAV Milter + +- name: Set-up privileges for directories within Postfix chroot + file: dest="{{ item }}" mode=755 + with_items: + - /var/spool/postfix/var + - /var/spool/postfix/var/run + - /var/spool/postfix/var/run/clamav + - name: Copy the LDAP TLS truststore into Postfix chroot file: dest="/var/spool/postfix/etc/ssl/certs/truststore.pem" src="/etc/ssl/certs/truststore.pem" mode=644 owner=root group=root state=file @@ -69,6 +107,15 @@ notify: - Restart Postfix +- name: Enable ClamAV service + service: name="{{ item }}" state=started + with_items: + - clamav-daemon + - clamav-freshclam + +- name: Enable ClamAV milter service. + service: name=clamav-milter state=started + - name: Enable Postfix service service: name=postfix enabled=yes state=started diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2 index 435e57973f8d295ca0272aca625dec262e63149f..6315a8f8237db6f6d4819253f2f068fd1ea73cb5 100644 --- a/roles/mail_server/templates/main.cf.j2 +++ b/roles/mail_server/templates/main.cf.j2 @@ -52,13 +52,19 @@ dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes + +# TLS configuration. smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file = {{ smtp_tls_certificate }} smtpd_tls_key_file = {{ smtp_tls_key }} + +# Recipients restricting. smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated {% for rbl in smtp_rbl -%} reject_rbl {{ rbl }} {% endfor -%} reject_unauth_destination +smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl +non_smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl